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We propose a formal model of concurrent systems in which the history of a computation is explicitly 
represented as a collection of events that provide a view of a sequence of configurations. In our 
model events generated by transitions become part of the system configurations leading to operational 
semantics with historical data. This model allows us to formalize what is usually done in symbolic 
verification algorithms. Indeed, search algorithms often use meta-information, e.g., names of fired 
transitions, selected processes, etc., to reconstruct (error) traces from symbolic state exploration. The 
other interesting point of the proposed model is related to a possible new application of the theory of 
well-structured transition systems (wsts). In our setting wsts theory can be applied to formally extend 
the class of properties that can be verified using coverability to take into consideration (ordered and 
unordered) historical data. This can be done by using different types of representation of collections 
of events and by combining them with wsts by using closure properties of well-quasi orderings. 


1 Introduction 


Well-structured transition systems (wsts) are an important class of infinite-state systems for which it is 
possible to decide algorithmically verification problems like coverability and boundedness. This class 
of systems include models like Lossy Channel Systems, Petri Nets, Datanets, Multiset rewriting with 
Constraints, and Timed Networks ll^ffll5ll3l [T^ITTllT4l[T5l . The theory behind wsts is based on two key 
points: (a) a well-quasi ordering is introduced to compare configurations w.r.t. their information contents, 
(b) transitions are required to be monotone with respect to the considered ordering. The combination of 
these two properties lead to a general framework in which it is possible to algorithmically decide a 
class of reachability problems defined by considering fargef sfafes larger fhan a given configuration. The 
decision procedure is based on symbolic sfafe explorafion. Symbolic represenfafions are based on fhe 
finife-basis properly of well-quasi ordering, namely every upward closed sel can be finifely generafed. 
The minimal elemenfs of an upward closed sel are Ihen used as symbolic represenfafions of infinife-sefs 
of configuralions l|2l|4l|T4l. Apart from models like Pelri nels and Lossy Channel Systems, fhe Iheory of 
wsls has been applied lo sludy compulalional models resulfing from a combinafion of differenl lypes of 
systems like pushdown aulomala wilh well-quasi ordered localions/dala ||ll[8j|9l, asynchronous systems 
defined by extending pushdown systems wifh an external memory ifTOl . and ofhers. 

In fhe presenf paper we use fhe Iheory of wsfs as a fool fo sludy properlies of Iransifion systems 
extended wilh hislory informalion. In Ihis setting one possible formalization of fhe exfended nofion of 
Iransifion systems is based on rules lhal generale evenls. In fhe operalional semanfics evenls generafed 
during fhe applicafion of Iransifions are collecled in a read-only memory lhal acls as a sort of log. The 
generated log can be queried in order fo formalize properlies related lo fhe sequence of Iransifions lhal 
yield a given configuralion. Evenls can be defined as simple labels or as slruclured dala lhal can share in¬ 
formalion wilh configuralions (e.g. an evenl confains a piece of dala generated by a Iransifion). By using 
Ihis idea, il is possible lo define a generalized version of fhe coverabilily problem lhal lakes info consid¬ 
eration an ordering on slates and an ordering on histories (logs). We refer to fhe resulting coverabilily 
problem as History Coverabilily (HCOV). HCOV can be inslanlialed in order to formulate properties 
like provenance and correspondence. 
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Wsts with history 


In this paper we investigate this idea in two steps. 

• We first study the problem of preserving wsts properties when extending a transition system with 
events and histories/logs. In this setting we apply general results on (eombination of) well-quasi 
orderings like Highman’s Lemma in order to define eonditions under whieh HCOV is still deeid- 
able when the underlying transition system is a wsts. To obtain positive results in a eompositional 
way, it seems neeessary to eonsider events that are independent from eonfigurations. In this sense 
we ean think about extended transition systems in whieh we plug an ad hoe memory in whieh to 
eolleet events that form a log of a given eomputation. 

• We then eonsider a more general notion of log in whieh states and events are no more indepen¬ 
dent, e.g., they ean share eommon data or time-stamps used to enrieh the logs eolleeted during a 
eomputation. In this settings it seems more diffieult to obtain positive results by using a eomposi¬ 
tional approaeh based on elosure properties of well-quasi orderings. For this reason, we propose a 
different approaeh: 

- we first fix the strueture underlying the eonsidered systems, e.g., we eonsider eonfigurations 
and logs as multisets of predieates/terms; 

- we then apply a general purpose language ealled MSR(ld), an instanee of multiset rewrit¬ 
ing with eonstraints in whieh values are ordered identifiers, as a meta-language in whieh to 
eneode different types of transitions systems with history and logs. 

For the eonsidered models, we exploit properties of the host formalism in order to give eonditions under 
whieh it is possible to deeide the HCOV problem even in presenee of dependeney relations between 
eonfigurations and logs. The resulting framework shows a potential new applieation of the theory of 
well-struetured transition systems to a elass of properties like eorrespondenee and provenanee that go 
beyond eoverability. 

2 Transition Systems 

Given a quasi order (S, <), an upward elosed set of states is a subset U S sueh that for any 5 G 17 , if 
s ^ s' then s' £ U. Given a set B we say that B generates the upward elosed set B {^l^' £B, s' < 4 - 

Definition A well quasi ordering {S,<) is a quasi ordering sueh that for every infinite sequenee of 
elements 51^2 •• • there exist i < j sueh that Si < Sj. A well quasi ordering has the finite basis property, 
i.e., every upward elosed set 17 C 5 is generated by a finite set B. 

Let S be an infinite set of eonfigurations. A transition system T is a tuple T = ( 5 , —)-, 5 o) sueh that 
—5 X 5 is the transition relation, and sq is the initial state. We use —)■ S2 to denote a pair (^i, 52) 

A eomputation is a sequenee of states soSiS2 ■ ■ ■ s.t. Si —)■ for i > 0 . Given a transition system T, the 

(one step) predeeessor states of a set of eonfigurations A is defined as PreriA) = {iji -£■ t, t £ A}. The 
whole sef of predeeessor slates of a set of eonfiguration A is defined as Prej{A) = where 

Pre^{A) =A, andFre^^(A) = PreT{Prej{A)) for i > 0 . We will often use Pre(a) instead of Prej, when 
T is elear from the eontext. 

A transition system T is monotone w.r.t. < if for every 51,52 A 3 s.t. 5 i —)■ 52 and 5 i < 53 there exists 
54 s.t. 53 —)■ 54 and 52 < 54. In other words the diagram formed by 51,52,53,54 eombining —and < 
eommutes. 

Definition A transition system T is well struetured (wsts) if T is monotone w.r.t. a well quasi ordering 
< on eonfigurations. 
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We need two additional properties to obtain positive results for verification problems. 

Definition A wsts* is a wsts that satisfies fhe following additional conditions: 

• Given a basis B of an upward closed sef of configuralions U, if is possible fo algorifhmically 
compufe a basis B' of fhe sef of predecessor slates PreriU) of U, 

• If is possible lo algorifhmically check whelher sq belongs or nol lo a sef of an upward closed sef of 
configuralions. 

The Coverability Problem (COV) is defined as follows. Given a Iransifion system {S,^,sq), a quasi 
order < on S, and a slale G S, we wanl lo check whelher or nol Ihere exisls a slate S2 £ S and a 
compulation from to S2 s.t. < S2- The problem can be generalized by considering an infinite set I 
of initial configurations as follows. Given a state G S, we want to check whether or not there exists an 
initial state G /, a state S2£ S and a computation from to S2 s.t. < S2. 

COV is decidable for wsts* transition systems |l 2 l| 4 l|T 4 l. The algorithm that can be used to decide 
the problem is based on symbolic backward reachability. Specifically, let B = {^i} be the basis that 
generates the upward closed set B f, i-e., the infinite set of configurations generated by taking all states 
that are larger, w.r.t. <, than ^i, namely B = {^l^i < 5}. Symbolic backward reachability computes the 
chain (w.r.t. subset inclusion) of sets defined as 

• Io = B, 

• /,+i = IiLlPre{Ii) for i > 0 . 

Clearly 7 , C Ij for i < j. Furthermore, it can be shown that the chain stabilizes (i.e. it reaches a least 
fixpoint) if < is a wqo. Namely, if < is a wqo, then there exists k s.t. 7 ^._|_i t= /j. f. When the algorithm 
has reached a least fixpoint as step k, is a finite basis for Pre*{B), i.e., Pre*{B) = 7 ^ f. To test COV 
we just need to check whether 50 £ 4 t ^ decidable test by definition of wsts. The above described 
(ideal) algorithm can be implemented using different types of heuristics. For instance, we can apply 
a subsumption test to discard elements of Pre{li) that are redundant w.r.t. information that is already 
present in 7 ,. 

Constraints or other forms of symbolic representations of upward closed sets of configurations can 
be applied to lift the algorithm to procedures that combine external solvers or decision procedures. For 
instance, when considering multisets defined over a finite set of symbols with multiset inclusion, we can 
use numerical inequalities the form W > c to keep track of upper bounds on the number of occurrences 
of instances of symbol c (i.e. at least c occurrences). This representation can then be used to apply 
numerical solvers to handle upward closed sets of configurations. 

3 Transition Systems with History 

In this section we defined an extended notion of transition systems with an explicit representation of 
events generated during a computation. Events can be simple letters (as customary when reasoning on 
languages generated by transition systems) or work as a sort of external memory in which to store not 
only event labels but pieces of data occurring in a configuration. In this paper we focus our attention 
on logs defined via a read-only memory and consider conditions under which it is possible to extended 
positive properties of wsts to transition systems with logs. 

Let S be an infinite set of configurations and E be an infinite set of events. Furthermore, we say that 
77 is a set of histories of E if 77 is an infinite set with: (a) an element 0 G 77 , and ( 2 ) a binary operation 
+ : E X 77 ^ 77 . 
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For a transition system (S,^,so} and a set of events E, a transition system with history is a tuple 
{S,E,^h,^o) sueh that for —S x S x E, the transition relation with history, it holds that for eaeh 
s —)■/, s'[e\ there exists a transition s ^ s' (i.e. the projeetion of —)■/, on 5 x 5 is —)■). so is the initial state. 

A eonfiguration with history is a pair {s,h), written s[h], s.t. s ^ S and H where H is the set of all 
possible histories with elements in E. We now define the notion of wsts with history. For this purpose, 
we need to introduee an ordering C between histories (logs). 

Definition A wsts with history (hwsts) is a tuple sueh that 

• ( 5 ,—>, 5 o) is a wsts, 

• -^h is a transition relation with history built on top of S and E, 

• if 5 — s'[e\, and s <t, then there exists t —)■/, t'[e'] s.t. s' < t' and e C e'. 

• + : £■ X // —)■ // satisfies fhe following property iihQh' and e C e', then e + hE e' + h' ior any 
e,e' £ E-, 

• {H, C) is a well-quasi ordering. 

A eomputation is a sequenee of eonfigurations with history 5 o[fio]‘ 5 'i [/ii]‘S'2[/i2] • • • s.t. ho = 0 , Si -£h [^/] 

and hi+i = e,- + hi for i > 0 . 

We now introduee the deeision problems, ealled History Coverability Problem (HCOV), we will 
foeus our attention on in the rest of the paper. 

Definition Givenahwsts (S'jF',—<,+, E)? a state G 5 and a history/i, HCOV eonsists in eheek- 
ing whether there exists a eomputation from 5 o[ 0 ] that ean reaeh a eonfiguration with history s'[h'] s.t. 
< s' and h C h'. 

3.1 General Conditions for Decidability of HCOV 

In this seetion we apply the theory of well-struetured transition systems to obtain general eonditions on 
the deeidability of HCOV. We first introduee an ordering on eonfigurations with histories. Namely, we 
define [h\] < S2[h2] if and only if < S2 and h\ Q /i2. The following property then holds. 

Proposition 3.1 The ordering A is a well quasi ordering. 

Proof For qo (Ai, <i) and (A2, <2), eonsider the qo (Ai x A2, <) sueh that (ai,a2) < (a^a^) iff a, <,• a- 
for / : 1 , 2 . The generalized version of Highman’s lemma states that if <1 and <2 are wqo’s, then the 
above defined ordering < is still a wqo. 

We ean apply the lemma to eonfigurations of the form s[h] with s £ S and h£ H, assuming that both < 
and C are wqo’s. | 

A hwsts satisfies fhen following property. 

Proposition 3.2 A hwsts is monotone w.r.t. A, i.e., if s\[hi\ —)■/, S2[h2\ and 5i[/ii] A 53[/la], then there 
exists s^lh^] -£h S4[hA] s.t. S2[h2] A 54[114]. 

Proof By definition, -£h S2[h2] implies that there exists -£h S2[e] s.t. h2 = e + h\. By definition 
of hwsts, if < 53, then there exists 53 —)■/, 54 [e'] s.t. S2 < ^4 and e E e'■ 

By definition of + and sinee e C e', we have that e + hi Ee' + h^,, henee /i2 E sinee h2= e + hi and 
h^ = e' + /i 3 . I 
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We now have a wsts transition system in which we can represent the history of a computation by com¬ 
posing events to form histories. It remains to define conditions under which we can algorithmically 
compute predecessor states. Now consider a wqo ^ associated to an hwsts. Every upward closed sets 
A of configurations with history can be represented by a finite basis, i.e., a finite set of configurations 
and histories. Let us now call hwsts* a hwsts such that for any upward closed sets of configurations with 
history represented by a finite basis B, we can algorithmically compute a finite basis B' for Pre{B). The 
following property then holds. 

Proposition 3.3 Fix an hwsts* and a basis B of an upward closed set of configurations with history, we 
can algorithmically compute a finite representation ofPre*{B). 

Proof Starting from B, we can iterate the application of Pre and compute finite basis of intermediate 
results. The wqo condition ensures termination. | 


The previous property can be exploited in order to define decision procedures for hisfory dependent 
properties. From Prop. 3.3 it follows that HCOV is decidable for hwsts*. The algorithm is based on a 
saturation procedure that computes a finite representation of Pre* {B) where B is the basis of an upward 
closed set defined by sfafe i'lf/z]. To give examples of hisfory sfrucfures fhaf safisfy fhe conditions of 
our resulfs, we have fo insfanfiafe FI and +. As an example, consider a domain FI defined as fhe sef of 
mulfisefs of evenfs in E and + as fhe mulfisef consfrucfor, i.e., e + h = {e} ©/i, where © denofes mulfisef 
union. Lef us assume fhaf (//, C) is a well quasi ordering w.r.f. sub-multiset inclusion (e.g. E is a finite 
set and © is equality over elements). Then, we can apply the decision procedure of Prop. 3.3 to decide 
coverability for state s along path that contain a given multiset of events ,... 

Now consider a domain H defined as fhe sef of words in E* where + is jusf concafenafion, i.e., 
e + h = e.h. Lef us assume thaf (//, C) is a beffer quasi ordering w.r.f. subword inclusion (again L is a 
finile sef and © is equably over elemenls). Then, we can apply fhe decision procedure of Prop. 3.3 lo 
decide coverabilily for sfafe s along pafh fhaf conlain a given sequence of evenfs ,..., 


3.2 Automata with History 


The firsl example fhaf we consider is an exfension of finife-sfale aufomala wifh hisfory. 

A finife-sfale automaton, inlerpreled as a compulafional model and nol as a language accepfor, is a 
luple A = {Q,8,sq) where 2 is a finife sef of sfales, 5 is a Iransifions relation 8 © 2 X 2 and 5o G Q- 
An execution is a sequence of slates sosiS2 ■ ■ ■ s.l. {si,Si+i) G 8 for i > 0. Given slates and ^i, fhe 
reachabilily problem consisls in checking whelher Ihere exisls a compulafion from to si. Let us now 
extend finite-state automata in order to maintain history information. We use t = 5 —)• to denote a single 
transition {s,s^) G 8. Let us now consider the standard way to associate words to computations based 
on labeled transitions. In our setting labels can be viewed as events added to the current log as in the 
transition s —)• s'[e\. The semantics is defined by collecting events in the current history. Namely, for 
t = s ^ s'[e\, s'[e.h] is a successor of s[h] in which the history h is extended with event e. 

We now reformulate HCOV in this setting. Given states sq and and events ei and e2, we are 
interested in checking whether there exists an history h and a computation from 5 o[e] to [h] such that 
eie2 is a subword of h. If ei and e2 are associated to transitions t\ and ^2^ this amounts to check whether 
there exists a computation in which t2 can be fired after b. 

When events are elements from a finite alphabet, histories correspond to words generated by an 
automaton. HCOV can then be solved using language inclusion by comparing the language generated by 
automaton A with a regular language that encodes sequences of events we are interested in. We observe 


that since words are wqo w.r.t. subword relation, from Prop. 3.3 we have that HCOV can be solved 
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via the backward reachability algorithm that, from a finite basis of the form ^[w] where s £ Q and w is 
an history, computes all predecessor states. This property still holds for logs defined by different data 
structures, e.g., when replacing words with counters that keep track of the number of occurrences of 
events in a computation (a sort of Parikh image). In this setting we consider a finite number of constants 
,..., that represent occurrences of events The semantics is defined by collecfing evenfs in a mulfisef 
insfead of a word, i.e.. Namely, for t = 5 —)> s'[e\, s'[e®h] is a successor of s[h], where e(Bh denotes fhe 
mulfisef obfained by adding e fo mulfisef h. 

The resulfing fransifion system is monotone w.r.f. equalify over sfafes and mulfisef inclusion over 
logs. Logs can be viewed as counters fhaf grow monofonically and counf fhe number of occurrences of 
evenfs in a compufafion. We can now use 5 [(p] where (p is a consfrainf over fhe counters of fhe form 
Cl > di,... ,c„ > «„ wifh di,... nafural numbers, fo obfain a class of queries for which HCOV is 
decidable. 


3.3 Petri Nets with History 

The second example fhaf we consider is relafed fo Pefri Nefs wifh history. 

A Pefri nef is a fuple {P, T,Mq) where P is a finite sef of places, P is a finite sef of fransifions i.e. a 
subsef of P X P, and Mq is fhe inifial marking. A marking is mapping M : P —)■ N fhaf associafes a M{p) 
tokens to a given places. Tokens can be viewed as indisfinguishable process insfances (i.e. processes 
wifhouf identifiers or internal dafa). Places can be viewed as process slates, i.e., a loken in place p 
corresponds fo a process in slate p. A marking can be viewed Ihen as an absfracf represenfalion of 
a global configuration of a concurrenl system. Since fhe number of places is finife a marking M can 
be viewed as a vector of nafural numbers (ci,... ,c„) where c, is fhe number of tokens in place p, for 
/: 1 ,..., |P| or as a mulfisef over P such fhaf fhe number of occurrences of symbol p in M corresponds fo 
M{p). 

A fransifion t describes a possible concurrenl updafe of a finife number of tokens. More formally, 
lei be fhe class of mullisefs over P. Assume lei t = {Pre,Post) wifh Pre,Post G P®. t is enabled al 
marking M if Pre C M using fhe mulfisef nofalion for markings (C is mulfisef inclusion). If t is enabled 
in M, fhe firing of t yields a new marking M' defined as M' = {MQPre) © Post using fhe mulfisef nofalion 
for markings. Namely, fhe tokens in Pre are removed from M and fhose in Post are added fo fhe resulfing 
mulfisef. An execulion is a sequence of markings MqM\M2 ■ ■ ■ s.l. M,+i is obfained from M,- by firing a 
fransifion for i > 0 . We use Mq \>M fo denote an execulion from Mq fo M, i.e., M is reachable from Mq. 
Given markings Mq and Mi, fhe coverabilily problem consisls in checking whelher Ihere exisls a marking 
M2 s.l. MQt>M2 s.l. Ml C M2. The coverabilily problems requires Ihen fo find a reachable marking fhaf 
confains in each place al leasl as many tokens as fhose conlained in Mi. This problem can be used fo 
encode reachabilily of configurations fhaf violale a safely properly (e.g. a configuration in which a token 
is in an error place). 

Lei us now exlend Pefri Nefs in order fo mainfain hisfory informafion. We now consider hislories 
defined via sequences of fransifion names tit2-- ■ and fransifions fhaf emif evenfs of fhe form hp. 

Pre —)> Post [ht] 


The semanfics wifh history is defined by collecfing evenfs in fhe currenl hisfory. Namely, for t = 
{Pre,Post), {Pre ® M)[h]\> {Post ® M)[ht .h] denotes fhe extension of history/j wifh fhe evenl/if. Since 
mullisefs are wqo w.r.f. fhe submullisel relalion and words are wqo w.r.f. fhe subword relation, from 
Prop. 3.3 we have fhaf HCOV is decidable via a backward reachabilily algorilhm fhaf works over finife 
basis of fhe form M[w] where M is a marking and w is a hisfory. 
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Theorem 3.4 HCOV is decidable for Petri Nets with history. 


4 Transition Systems with History 

In the previous seetion we have defined separate eonditions on states and histories to deduee wsts prop¬ 
erties on transitions that generate events collected during a computation. This kind of reasoning can be 
applied to histories defined by elements that are independent from states, e.g., symbols that represent 
events in the execution. However, there are situations in which it could be more convenient to maintain 
relations between elements in the state and elements in the history. Generalizing the notion of history 
transition system in order to maintain well-structuredness is not immediate without more information 
about the structure of configurations and events. In this section we consider a possible formulation of the 
considered properties within NISRC*^) a formal model of concurrent computation that combines rewrit¬ 
ing and constraints. The idea here is to exploit the expressiveness of the considered framework as a 
possible host language in which to represent transition systems with history. We will introduce MSR('^) 
in the following section. 

4.1 MSR(^) 

MSRC^) is a formal model for concurrent systems based on a combination of rewriting and constraints. 

A constraint system is defined by formulas with free variables in V, an interpretation domain and 
a satisfiability relation |= for formulas in ^ interpreted over We use ^ |=(j cp to denote satisfiability 
of (p via a substitution a : Var{(p) —)■ where Var{(p) is the set of free variables in cp. 

For a fixed set of predicates P, an atomic formula with variables has the form p{x\,... ,Xn) where 
p & P and xi,... G F. A rewriting rule has the form M ^ M' : (p, where M and M' are multiset of 
atomic formulas with variables over P and V, and (p is a constraint formula over variables Var{M ®M') 
occurring in M©M'. We use M = Ai,... ,A„ to denote a multiset of atoms. 

MSR(ld) is the instance obtained by considering the constraint system Id defined as follows. 

• Constraint formulas are defined by the grammar (p ::= (pi,(p2\x = y\x < y for variables x,y G V. 
Here (p\ , (p2 denotes a conjunction of formulas (pi and <p2- 

• The interpretation domain is defined over an infinite and ordered set of identifiers {Id, =, <). 

• For substitution a :V ^ Id,x = yis interpreted as a{x) = cj(y), x < y is interpreted as a(x) < (j(y), 
and (pi,<p2 is interpreted as a((pi) A0(92)- 

A constraint (p is satisfied by a substitution a if ( 7 {(p) evaluates to true. An instance Mo —)■ M'o of a 
rule M —M' : (p is defined by taking a substitution a : Var{M®M') —)■ Id such that o{(p) is satisfied in 
the interpretation Id. 

As an example, consider the rule p{x,y),q{x) —)■ p{x,y),q{x),q{u) :x < u. The intuition is that pro¬ 
cesses p{x,y) and q{z) synchronize when x = z and generate a new instance q{u) with x < «. By associat¬ 
ing natural numbers to identifiers, p(l, 2 ),^(l) —^ p(l, 2 ),^(l),^( 4 ) and p( 3 , 10 ),^( 3 ) —^ p( 3 , 10 ),^( 3 ),^( 8 ) 
are two instances of the considered rule. We use Inst (A) to indicate the infinite set of instances of a set A 
of MSR rules. 

A configuration is a multiset N of atoms of the form p{di,... ,dn) with di G W for /: 1 ,... ,n. For a 
set A of rules and a configuration N, a rewriting step is defined by the relation > s.t. 


N ={M®Q)>{M' ®Q) =N' 
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for (M —)■ M') G Inst{A). A computation is a sequence of configurations Ni. ..N,„ ... s.t. A,- > A+i for 
/> 0 . 

The coverability problem for MSR(Id), MSRCOV, is defined as follows. Given a specification R, 
an initial configuration Mq, and predicate ok, is there a computation from to a configuration Mi that 
contains at least one occurrence of predicate okl 

Coverability is undecidable in general, but decidable for monadic predicates only ifTTl . In this setting 
we admit only predicates of the form p{x) where .r is a variable that may occur in a constraint. MSR(Id) 
with monadic predicates subsumes Petri Nets and it has the same expressive power as Data Nets [ 3 l]. It is 
important to observe that in a rule M —)■ M' : (p it is not required that all variables occurring in M' occur 
in M. A variable that occurs only in M' can be instantiated with an arbitrary identifier as variable u in 
the above discussed rule p{x,y),q{x) p{x,y),q{x),q{u) :x <u. Even for fixed instantiations of x,y we 

can still consider an infinite set of instances for variable u (all values larger than the instantiation of x). 

The decision procedure for monadic MSR(Id) is based a symbolic representation of upward closed 
sets of configurations obtained as follows. We consider constrained configurations of the form 'P = 
{pi (xi),... ,Pn{xn) ■ <p), where (p is a constraint with variables inxi,... ,x„. We then assign the following 
denotation to a constrained atom *P: 

Inst('¥) = {M'(J © Q\'V = (M : (p), a : Var{M) —?■ Id, cj((p) is satisfied} 

Notice that in the denotation of *P we consider all possible instances M' of multiset M as well as all 
possible configurations larger than M, i.e., that contain more processes. 

4.2 MSR(Id) as a Metalanguage for History Transition Systems 

We now show that MSR(Id) can be used as a meta-language to represent transition systems with history. 
This allows us to infer good properties for transitions systems in which events and configurations share 
common information (are in some relation). In particular, if the encoding of the transition system yields 
a specification in MSR(Id) with monadic predicates only, then from decidability of MSRCOV we obtain 
decidability of HCOV. 

4.2.1 Petri Nets with history 

Let us go back to Petri Nets with history and consider transitions that emit events of the form hf (name of 
transitions), e.g., Pre —)> Post[ht] The semantics with history is defined by collecting events in the current 
history. Namely, for t = {Pre,Post), Pre®M[h] t>Post ® M[ht .h] denotes the extension of history h with 
event hf. 

The extended notion of history can be encoded in MSR by using timestamps as described next. We 
first introduce a predicate time{t) to associate a time stamp to each firing step. Transitions with history 
are represented then as rewriting rules of the following form: 

Pre,time{t) —)• Post,time{t'),hi{t) \ t' > t 

We use predicate hi to denote an application of transition t. A configuration in the resulting model 
consists of a marking M, a predicate time{t), and a multiset of events Ev. 

By construction, we have that if {Mq®Tq®Evq){Mi®T\ ©Evi)... {Mn®Tn®Evn), then 7 )- = {timefi)} 
for /: and ti <t 2 < ■ ■ - tn- 

The time predicate can then be exploited in order to define queries on the history of a computation. 
For instance, we can define an MSR rule of the form (x), ht^ (y) ^ ok :x < y. in order to check whether 
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a given sequence of transitions, e.g., ti before t2, can be fired during a computation. Indeed, coverability 
w.r.t. to the initial configuration Mo,time{tQ) and predicate ok amounts to check whether there exists an 
execution that can reach a configuration in which {s),ht^{p) occur for s < p. 

4.2.2 Processes with data 

Consider now a multiset rewriting system with monadic predicates used as a model of processes with 
data. Take for instance, the following rule: 

in which ti,..., ,..., 5 „j are terms with variables (e.g. tuple of terms). 

In this setting we use the atomic formula p{t) to represent a process instance with state p and local 
data t. Furthermore, we use (fi),... to represent a multiset of atomic formulas. 

This kind of transition systems (or extensions of them) have been used to model concurrent processes 
with local data (identifiers, fime-sfamp) in models like Timed Nefworks, Dafa Nefs, MSRC^). 

In fhis selling if could be inferesling lo defined history information fhal keep hacks of dafa occurring 
in fhe currenf configuration. This is whaf is oflen needed lo verify properlies like correspondence in 
prolocol verificalion, i.e., principals complele profocols mainlaining fhe same nonce, identifier, elc. 

For inslance, consider rule 

p{x)My)^ (a) 

in which x,y are exislenlially quantified variables. This rule can be used to specify a synchronization step 
in which a process in sfafe p passes ils local dafa to a process in sfafe q. To keep hack of fhis evenl, we add 
predicates fhal mainlain information abouf dafa. For inslance, fhe rule p{x),q{y) —)• p\x),q'{x)[hp^q{x)] 
adds a predicate hp^q{x) lo fhe hislory keeping hack of fhe dafa exchanged during fhe synchronization 
slep. In fhis selling, when considering conditions fhal could be used lo obfain wsls, we cannol keep slate 
and histories separaled. In general a rule 

Pl{ti),...,Pn{tn) ^ q\{s\),...,qm{Sm)[e\ 

in which e is a predicate fhal shares variables wilh ti,... is hanslaled into fhe MSR(Id) 

formula 

p\{t\),...,pn{tn) ^ q\{s\),...,qm{sm),e '.true 

When all predicates occurring in fhe resulling rewrifing rules are monadic, Ihen HCOV can be decided 
by resorfing fhe fhe decision procedures for MSRCOV. 

We consider here an example presented in lIT^ fhal describes how MSR can be applied to hack dafa 
in a compulalion in order lo discover or prove absence of permission conflicls in abshacl models of 
componenf-based systems (inspired to fhe Android SO). We consider a process of lype C fhal handles 
the contents of a device. A process of type / represents a potential inhuder. We assume here that C 
and I have incompatible permissions, e.g. C can access the device data whereas / cannot. If during a 
computation an identifier is hansferred from a process of lype C to a process of lype 7 , Ihen fhe sysfem 
may behave incorreclly. In our abshaclion of acfivilies, we jusl need one local dafa for componenl used 
to store received dafa. The conlenl componenl confains an idenlifier associated lo fhe device privafe dafa. 
Since each componenl is defined by send/receive operafions only, fhe MSR(Id) model consisls of fhe 
following rewrifing rules: 

c\{x),a\{y),ok —)• ci{x),a2{x),ha{x),ok : true 
a2{x),b\{y),ok — a2{x),b2{x),hi,{x),ok : true 
b2{x),ii{y),ok —)> b-^ix),i\{x),hi{x),ok : true 
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where c\ is the single state of process type C, ai, ^2, <^3 are the states of an intermediate process of type A 
(application) that invokes the services of the content provider C, bi ,b2,aj, are the states of an intermediate 
process of type B that receive data from the application and sends them over the internet, and ii is the 
single state of process type / (it represents an intruder or simply access to Internet). 

The initial configuration is defined via the following rules: 

init —7- init,max{x) : true 

init,max{x) —)■ q{x),max{y) : x < y, <7 G {ai,bi,c\,ii} 
init,max{x) —?■ ok : true 

These rule assign distinct identifiers fo each insfance of every fype of process. Sfarfing from init we can 
generafe any number of insfances of processes of fype A, B, C, and I. The following rule specifies a 
conflicf defecfion due fo informafion leaking from fhe confenf provider fo fhe infemef-componenf. 

hc{x),hi{x) —)■ conflict 

Checking for possible defecfion can be done by execufing a symbolic backward exploration fhaf exploifs 
fhe consfrained mulfisef hc{x),hi{x) : true as a symbolic represenfafion of all possible larger configu- 
rafions confaining insfances of C. The compufafion of predecessors is fully aufomafed. Furfhermore, 
ferminafion is guaranfeed by fhe well-sfrucfured properly of monadic MSR(Id) proved in ifTTll . 

For fhe considered example, we perform fhe following experimenls. Firsl of all, fhe rewrifing rules 
are represenled in Prolog as fhe following sel of facls. 

rule([cl(X),al(_)],[cl(X),a2(X),ha(X)],{>,!). 
rule( [bl(_),a2(X)],[b2(X),a3(X),hb(X)],{>,2). 
rule([b2(X),il(_)],[b3(X),il(X),hi(X)],{>,3). 

We omil here fhe initialization phase fo simplify fhe analysis (e.g. we can omif fhe ok predicate). The 
seed of backward search is fhe facl f ( 0 , [hc(A), hi(A)], {}, 1 , 0 , 0 ). A fact f{i,m,c,n,r,f) 
denoles a mulfisef constrainl m : c compufed al sfep i of fhe analysis, wifh order number n, oblained 
by applying rule r backwards fo a non-delerminislically chosen submullisel of fhe mulfisef conslrainf 
confained in facl /. Each facl f{i,m,c,vi,V2,v^) is a represenfafion of an infinite sef of configurations 
oblained by firsl faking an inslanfiafion nii of fhe formula ni : c and fhen by faking any mulfisef m' = 
m\ © m2 for any mulfisef m2. 

The symbolic backward engine compules all predecessors in three steps: 

f(3, [cl(A),al(_),bl(_),il(_),hc(A)] , {}, 4, 3, 1). 
f(2, [bl(_),a2(A),il(_),hc(A)], {>, 3, 2, 2). 
f(l, [b2(A),il(_),hc(A)], {}, 2, 1, 3). 
f(0, [hc(A),hi(A)], {}, 1, 0, 0). 

The constraint {} is equivalent to true. The symbol \_ corresponds to an anonymous free variable. 
Initial configurations are contained in the resulting infinite set of configurations. From the fixpoint, we 
can build a trace from an initial configuration to a conflict. We just have to follow the history of the 
predecessor computation. Fact 4 is generated from fact 3 via rule 1 . Fact 3 is generated from fact 2 via 
rule 2 . Fact 2 is generated from fact 1 via rule 3 . In the trace we can verify that an identifier can move 
from an instance of a content component to an instance of an internet component yielding a violation 
that cannot be detected by using the underlying permission model. 

To avoid conflicts, we can modify the definition of the A and B processes so that the start method is 
invoked without adding data in the intent. The resulting rules (in Prolog notations) are as follows. 
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rule([cl(X),al(_),,ok],[cl(X),a2(X),hc(X),ha(X),ok],{},!). 
rule([bl(Z),a2(X),ok],[b2(Z),a3(X),ok] ,{>,2). 

rule([b2(X),il(_),hp(X),ok],[p3(X),il(X),hp(X),hi(X),ok],{},3). 

In the second rule instances of A and B synchronize with no data exchange (each process keeps the old 
value in its register). Via the analysis with backward search, we now get the following fixpoint: 

f(3, [cl(_),al(_),ok,bl(A),il(_),hc(A)], {}, 4, 3, 1). 
f(2, [bl(A),a2(_),ok,il(_),hc(A)], {}, 3, 2, 2). 
f(l, [b2(A),il(_),ok,hc(A)], {}, 2, 1, 3). 
f(0, [hc(A),hi(A)], 1, 0, 0). 

Fact 3 has only instances in initial states (cl, a 1, pi, /I) thus is candidate to contain denotations of ini¬ 
tial configurations. However in fact 3, bl of type B has an identifier shared wifh foofprinf he associafed fo 
fype C. By definition, in initial configurations each idenfifier has fhe fype associafed fo process in which 
if is sfored. Thus, no insfance of fhe paffern represenfed by facf 3 can be an initial sfafe. Namely, any 
mulfisef m®m' s.f. m is an insfances of [cl (_), al (_), ok,pl (A), il (_) ,hc(A)] cannof be an initial 
sfafe. The same holds for facf 0, ifs denofafion cannof confain initial configurafions (il is nol possible lhal 
fhe same idenfifier belongs fo differenl foolprinls in an inilial configuration). Since symbolic backward 
reachabilify generafes all symbolic predecessors of upward closed sefs of configurafions, fhe fixpoinl is 
a proof lhaf fhe modified model is conflicl-free for any number of nodes in inilial configurafions. 

4.2.3 Liveness Properties in Parameterized Systems 

Let us go back to Petri Nets-like models in which all processes are indistinguishable black tokens, or 
simply a predicate in MSR. Introducing identifiers in a formulation of their semantics in which the 
transition systems maintains a log of events can be useful to apply wsts theory to validate properties like 
responsiveness. For instance, assume that rewriting rules expressing local transitions are formulated as 

Pl{x)^P 2 {x) 

and rules expressing synchronization are expressed as p\{y),qi{x) —)■ p2{x),q2{y)- In this setting we 
use the atomic formula p{x) to represent a process instance with identifier x. We can now insert events 
in order to keep track of properties of individual processes. For instance, p\{x) —)■ p2{x),req{x) could 
be use to record that process x has entered a given section of its code (e.g. request to enter critical 
section). A similar rule can be used to mark that the process enters another critical section of its code 
P\{x) —)■ p2{x),ack{x). We can now apply HCOV to check for the existence of computations in which a 
process manages to reach the critical section. The considered target state can be symbolically represented 
as the constrained multiset req{x),ack{x) : true. 

4.2.4 Correspondence Properties 

We now show how to instantiate the approach to model correspondence properties, i.e., properties that 
require a match between two or more actions. A typical example in protocol analysis is the requirement 
that if agent A receives an ack, then the receiver has received the message sent by A. Consider as an 
example a scenario in which two principals, Alice and Bob, want to share a common secret. We use 
predicate a, and to denote states of the two principals. We abstract away the representation of secrets 
and keys. Alice is defined by the following rules: 

ao,nonce{x) a\{x),req{x),nonce{x') :x' >x 
a\{x),ack{x) —)■ a2(x) : true 
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Bob is defined by the following rule: 

bo^req{x) —)> bi{x),ack{x) : true 

We can now add events that store complete information about source and destination of messages. For 
instance, h{msg, agent, nonce) can be used to denote type, sender and nonces of messages. 

ao,nonce{x) ai{x),req{x),nonce{x')[h{req,a,x)] \x!>x 

a 1 (x), ack{x) —)• 02 (x) [h{ack,a,x)] : true 

bo,req{x) —)> bi{x),ack{x)[h{req,b,x),h{ack,b,x)] : true 

Assume now that a third type of agents can intercept messages sent by Alice and Bob. Trudy has the 
following behavior: 

to,req{x) —)• ti{x),ack{x)[h{req,t,x)] : true 

Using the embedding in MSR(Id), we can now check HCOV to check if there are successful protocol 
runs in which correspondence is violated, i.e., is it possible to reach configurations with history that are 
larger or equal to the following one: 


a 2 {x)\h{req^t,x)] : true 

This configuration can be used to show that some of the conversations (identified by the nonce x) between 
agents a and b have been intercepted by agent t, i.e., Alice succesfully terminate the protocol but Bob 
has not received the message. 

In the previous example we can reduce the specification to a model with monadic predicates assuming 
that principal names and message types range over a finite alphabet. In other words only nonces range 
over unbounded set of values and predicates in the history can be rewritten as h,„sg^ag{x) for ag, msg taken 
from a finite set. In this special case we can decide HCOV by using the symbolic backward reachability 
algorithm for MSR(Id). 

5 Conclusions 

In this paper we studied a new application of wsts to transition systems with history information. His¬ 
torical information is used to express properties that relate states generated in different steps of a com¬ 
putation. States and events can share information. This makes verihcation more difficult to handle. To 
overcome the difficulties, we have shown that it is sometimes possible to deduce positive results by us¬ 
ing existing wsts as meta-languages for expressing transition systems with events. Our analysis lies in 
between wsts with external memory and results obtained when reasoning of sequences of transitions in 
Petri Nets. A peculiarity of our approach is that we consider history information that can depend on 
elements of the current configurations. This can be done to dehne time-stamps or to handle events that 
contain data taken from configurations. 

Related Work The presented paper shares similarities with recent work on parameterized verification 
of provenance in distributed applications, history automata and types, and formal models with external 
memory. We discuss below these other lines of research. Parameterized verification of provenance in 
distributed applications has been considered in ifT^ . In this setting regular languages are used as a formal 
tool to analyze the provenance of messages taken from a finite alphabet. Lifting the idea to parameter¬ 
ized verification yields models based on Petri Nets in which counters are used to keep track of state of 
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processes and current step of automata associated to policies. Using regular languages allows to define 
complex policies to regulate the flow of messages in a network. The use of predicates to observe the 
history of data share similarities with approaches based on history expressions introduced in ||6l. Reg¬ 
ister Automata and History-Register Automata have also been used to model programs with dynamic 
allocation in lITSl |T^ . Verification of models with external memory has been considered e.g. in lITOll . 
The external memory is used here to keep track of asynchronous invocations during a program execution 
(pushdown system). The main difference with the above mentioned work is that in our setting we re¬ 
strict the class of properties in order to generalize history information so as to maintain relations defined 
over data occurring in states and events. Furthermore, we have formulated conditions that can be used 
to obtain positive results by combining conditions on transition systems and histories. Our results are 
obtained via an application of the theory of well-structured transition systems and via reductions to low 
level concurrency models like rewriting systems in which it is possible to manipulate data taken from an 
infinite ordered domain of identifiers like MSR(ld) |l7l[Il]|3l. MSR(ld) is also strictly related to v-nets 
ifTTIl that provide fresh name generation and equality constraints. The relation between MSR(ld) and 
v-nets is studied in ifT^ . As shown in Q, the MSR(ld) model is strictly more expressive than Petri Nets 
and it has the same expressive power of Datanets ||T5]I . an extension of Petri Nets with ordered data. 
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